IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
2bfe5ff689
freeipa/install/share/ipa.conf.template

230 lines
6.4 KiB
Plaintext
Raw Normal View History

Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443
2008-05-07 08:33:00 -05:00
#
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
# VERSION 31 - DO NOT REMOVE THIS LINE
Store session cookie in ccache for cli users Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
2012-06-06 21:54:16 -05:00
#
# This file may be overwritten on upgrades.
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443
2008-05-07 08:33:00 -05:00
#
Second (final) part of xmlrpc patch.
0000-12-31 18:09:24 -05:50
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
# Load lookup_identity module in case it has not been loaded yet
# The module is used to search users according the certificate.
<IfModule !lookup_identity_module>
LoadModule lookup_identity_module modules/mod_lookup_identity.so
</IfModule>
Second (final) part of xmlrpc patch.
0000-12-31 18:09:24 -05:50
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
ProxyRequests Off
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
#We use xhtml, a file format that the browser validates
SUDO Rule Search and Details Pages The search and details pages for SUDO Rule have been added. Codes that are shared with HBAC have been moved to rule.js. The following methods were renamed for consistency: - ipa_details_load() -> ipa_details_refresh() - ipa_details_display() -> ipa_details_load() The ipa_details_cache has been removed because the cache is now stored in each widget. The index.xhtml has been removed. All references to it has been changed to index.html. The Unselect All checkbox has been fixed. Unnecessary parameter 'container' has been removed. The unit test has been updated and new test data has been added.
2010-11-18 20:17:14 -06:00
DirectoryIndex index.html
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
Increase LimitRequestFieldSize in Apache config to support a 64KiB PAC https://fedorahosted.org/freeipa/ticket/2767
2012-06-14 10:15:30 -05:00
# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
Increase Apache HTTPD's default keep alive timeout Apache has a default keep alive timeout of 5 seconds. That's too low for interactive commands, e.g. password prompts. 30 seconds sounds like a good compromise. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-20 02:47:56 -05:00
# Increase connection keep alive time. Default value is 5 seconds, which is too
# short for interactive ipa commands. 30 seconds is a good compromise.
KeepAlive On
KeepAliveTimeout 30
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
# ipa-rewrite.conf is loaded separately
Require SSL for the XML-RPC interface
2007-10-19 09:14:30 -05:00
Use only system fonts This commit changes how fonts are used. - remove usage of bundled fonts and only system fonts are used instead - by using alias in httpd conf - by using local("Font Name") directive in font-face - removed usage of overpass font - redefined Open Sans font-face declarations. Note: upstream is doing the same change so we will be fine on upgrade. - introduce variable.less for variable definitions and overrides. This file will be very useful when we upgrade to newer RCUE so we will be able to redefine their and bootstrap's variables. Fixes: https://fedorahosted.org/freeipa/ticket/2861
2013-12-04 09:15:20 -06:00
# Proper header for .tff fonts
AddType application/x-font-ttf ttf
Enable mod_deflate Enabled mod_deflate for: * text/html (HTML files) * text/plain (for future use) * text/css (CSS files) * text/xml (XML RPC) * application/javascript (JavaScript files) * application/json (JSON RPC) * application/x-font-woff (woff fonts) Added proper mime type for woff fonts. Disabled etag header because it doesn't work with mod_deflate. https://fedorahosted.org/freeipa/ticket/3326
2012-12-04 06:24:58 -06:00
# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
Use only system fonts This commit changes how fonts are used. - remove usage of bundled fonts and only system fonts are used instead - by using alias in httpd conf - by using local("Font Name") directive in font-face - removed usage of overpass font - redefined Open Sans font-face declarations. Note: upstream is doing the same change so we will be fine on upgrade. - introduce variable.less for variable definitions and overrides. This file will be very useful when we upgrade to newer RCUE so we will be able to redefine their and bootstrap's variables. Fixes: https://fedorahosted.org/freeipa/ticket/2861
2013-12-04 09:15:20 -06:00
application/javascript application/json text/css \
application/x-font-ttf
Enable mod_deflate Enabled mod_deflate for: * text/html (HTML files) * text/plain (for future use) * text/css (CSS files) * text/xml (XML RPC) * application/javascript (JavaScript files) * application/json (JSON RPC) * application/x-font-woff (woff fonts) Added proper mime type for woff fonts. Disabled etag header because it doesn't work with mod_deflate. https://fedorahosted.org/freeipa/ticket/3326
2012-12-04 06:24:58 -06:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
WSGISocketPrefix $WSGI_PREFIX_DIR
Add mod_python adapter and some UI tuning
2009-10-26 06:16:18 -05:00
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen.
2007-09-10 15:33:01 -05:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# Configure mod_wsgi handler for /ipa
Increase WSGI process count to 5 on 64bit Increase the WSGI daemon worker process count from 2 processes to 5 processes. This allows IPA RPC to handle more parallel requests. The additional processes increase memory consumption by approximante 250 MB in total. Since memory is scarce on 32bit platforms, only 64bit platforms are bumped to 5 workers. Fixes: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-14 10:04:13 -05:00
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
Require UTF-8 fs encoding http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html https://pagure.io/freeipa/issue/5887 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-17 04:42:33 -06:00
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
lang=C.UTF-8 locale=C.UTF-8
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
Add mod_python adapter and some UI tuning
2009-10-26 06:16:18 -05:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# Turn off mod_msgi handler for errors, config, crl:
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
<Location "/ipa/errors">
SetHandler None
</Location>
<Location "/ipa/config">
SetHandler None
</Location>
<Location "/ipa/crl">
SetHandler None
</Location>
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
Use mod_auth_gssapi instead of mod_auth_kerb. https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-03-30 03:17:55 -05:00
AuthType GSSAPI
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
AuthName "Kerberos Login"
Change session handling Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-19 08:23:55 -05:00
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-06 08:04:58 -05:00
# Uncomment the following to have shorter sessions, but beware this may break
# old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
GssapiSessionKey file:$GSSAPI_SESSION_KEY
Change session handling Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-19 08:23:55 -05:00
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
GssapiImpersonate On
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
GssapiDelegCcacheDir $IPA_CCACHES
Add a new user to run the framework code Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-16 08:03:19 -05:00
GssapiDelegCcachePerms mode:0660 gid:ipaapi
Use mod_auth_gssapi instead of mod_auth_kerb. https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-03-30 03:17:55 -05:00
GssapiUseS4U2Proxy on
mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5 By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-17 05:40:29 -05:00
GssapiAllowedMech krb5
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-23 10:01:00 -05:00
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Add X-Frame-Options and frame-ancestors options These two options allow preventing clickjacking attacks. They don't allow open FreeIPA in frame, iframe or object element. https://fedorahosted.org/freeipa/ticket/4631 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-03-10 11:32:50 -06:00
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
Deduplicate session cookies in headers This removes one of the 2 identical copies of the ipa_session cookie Fixes https://fedorahosted.org/freeipa/ticket/6676 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-16 12:29:10 -06:00
# mod_session always sets two copies of the cookie, and this confuses our
# legacy clients, the unset here works because it ends up unsetting only one
# of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie
Move ETag disabling to /ipa virtual server This moves the ETag disabling so that it's specific to the /ipa virtual server rather than being applied to all virtual servers on the machine. This enables better co-existence with other virtual servers that want ETags. Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-22 15:10:48 -06:00
# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
</Location>
Change session handling Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-19 08:23:55 -05:00
# Target for login with internal connections
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
Store session cookie in ccache for cli users Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
2012-06-06 21:54:16 -05:00
Disable authentication to endpoint for serving i18n requests For now JSON service is not available without authentication to IPA. But some of Web UI pages expect translations before or without Login process. Fixes: https://pagure.io/freeipa/issue/7559 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-06-26 03:24:00 -05:00
# Turn off Apache authentication for i18n messages
<Location "/ipa/i18n_messages">
Require all granted
</Location>
Change session handling Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-19 08:23:55 -05:00
# Turn off Apache authentication for password/token based login pages
Implement password based session login * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
2012-02-25 12:39:19 -06:00
<Location "/ipa/session/login_password">
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
Satisfy Any
Don't use deprecated Apache Access options. httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead. Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 14:03:11 -06:00
Require all granted
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
</Location>
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
# Login with user certificate/smartcard configuration
# This configuration needs to be loaded after <Location "/ipa">
<Location "/ipa/session/login_x509">
AuthType none
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
GssapiDelegCcacheDir $IPA_CCACHES
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
GssapiDelegCcachePerms mode:0660 gid:ipaapi
Convert ipa-pki-proxy.conf to use mod_ssl directives Related: https://pagure.io/freeipa/issue/3757 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-08 12:56:24 -06:00
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
LookupUserByCertificate On
WebUI: cert login: Configure name of parameter used to pass username Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-04-10 06:11:13 -05:00
LookupUserByCertificateParamName "username"
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
GssapiImpersonate On
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
SessionMaxAge 1800
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
GssapiSessionKey file:$GSSAPI_SESSION_KEY
Support certificate login after installation and upgrade Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-09 05:14:21 -06:00
Header unset Set-Cookie
</Location>
Password change capability for form-based auth IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed by LDAP password change command. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text https://fedorahosted.org/freeipa/ticket/2276
2012-06-06 07:38:08 -05:00
<Location "/ipa/session/change_password">
Satisfy Any
Don't use deprecated Apache Access options. httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead. Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 14:03:11 -06:00
Require all granted
Password change capability for form-based auth IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed by LDAP password change command. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text https://fedorahosted.org/freeipa/ticket/2276
2012-06-06 07:38:08 -05:00
</Location>
Add /session/token_sync POST support This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-28 10:38:40 -05:00
<Location "/ipa/session/sync_token">
Satisfy Any
Don't use deprecated Apache Access options. httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead. Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 14:03:11 -06:00
Require all granted
Add /session/token_sync POST support This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-28 10:38:40 -05:00
</Location>
Add ipa-custodia service Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-08 12:39:29 -05:00
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/"
Add ipa-custodia service Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-08 12:39:29 -05:00
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
# Do no authentication on the directory that contains error messages
Show (hopefully) useful information if the Kerberos connection fails.
2007-09-24 14:20:34 -05:00
<Directory "/usr/share/ipa/html">
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
SetHandler None
Show (hopefully) useful information if the Kerberos connection fails.
2007-09-24 14:20:34 -05:00
AllowOverride None
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Load updated Web UI files after server upgrade Issue: * There was no caching policy specified. * -> Browsers use their own default policy. * -> After upgrade, some Web UI files might have been actualized some not. * -> With schema change may result into weird bugs in Web UI Solution considerations: 1. Detect server version change and hard-reload at runtime Detection is easy. Problem is the reload. Obvious candidate 'window.location.reload(true)' works in Firefox but not in Chrome because expected behavior when parameter is used is not in standard and therefore Chromium/WebKit authors did not implement it. 2. Application Cache HTML 5 technology which lets web apps to run offline. Besides weird issues with event handlers which I encountered, this would be an ideal candidate. Simple change of manifest file would lead to reload of all files (requires reload of page to used the new files). Showstopper was usage with untrusted certificate. If user did not add exception for the cert or its CA and would visit the page for a second time, all AJAX calls would fail. 3. Set Expires to now() for everything Web UI rarely changes so this is an overkill. Setting it to different value is not a solution either. We can't predict when the upgrade will happen and when new Web UI will be needed. Solution: * Implemented a mini loader which loads basic resources. Dojo loader takes action after Dojo is loaded. * The loader adds a version parameter (?v=__NUM_VERSION__) to all requests. * Version is defined in the loader. It's set to current in `make version-update`. * All static pages use this loader to fetch their resources. * Version is also passed to dojo loader as cache-bust for the same effect. * Expire header was set to 'access time plus 1 year' for /ui folder. Exceptions are HTML files and loader (set to immediate expiration). Possible issues: * Images are cached but not requested with version param. * Images with version and without are considered different * -> We would have to attach version to all URIs - in CSS and in JS. But we should avoid changing jQuery UI CSS. * Proposed solution is to change image name when changing image. Image change is done rarely. * Version is set by build and therefore updated just on server update. It might cause trouble with different update schedule of plugins. * No action taken to address this issue yet. * We might leave it on plugin devs (own .conf in /etc/httpd/conf.d/) * or set expires to now for all plugins * running `make version-update` is required in order to use static version of UI for testing https://fedorahosted.org/freeipa/ticket/3798
2013-08-29 08:19:02 -05:00
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
Show (hopefully) useful information if the Kerberos connection fails.
2007-09-24 14:20:34 -05:00
</Directory>
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
# For CRL publishing
Use Dogtag 10 only when it is available Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-08-23 11:38:45 -05:00
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
SetHandler None
Generate CRLs and make them available from the IPA web server
2009-08-24 12:42:48 -05:00
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Generate CRLs and make them available from the IPA web server
2009-08-24 12:42:48 -05:00
</Directory>
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
Use only system fonts This commit changes how fonts are used. - remove usage of bundled fonts and only system fonts are used instead - by using alias in httpd conf - by using local("Font Name") directive in font-face - removed usage of overpass font - redefined Open Sans font-face declarations. Note: upstream is doing the same change so we will be fine on upgrade. - introduce variable.less for variable definitions and overrides. This file will be very useful when we upgrade to newer RCUE so we will be able to redefine their and bootstrap's variables. Fixes: https://fedorahosted.org/freeipa/ticket/2861
2013-12-04 09:15:20 -06:00
# List explicitly only the fonts we want to serve
Debian: Add paths for open-sans and font-awesome Debian has different paths and path suffix for font-awesome. Let's have explicit paths for all our fonts. Co-authored-by: Timo Aaltonen <tjaalton@debian.org> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-17 06:52:53 -05:00
Alias /ipa/ui/fonts/open-sans "${FONTS_OPENSANS_DIR}"
Alias /ipa/ui/fonts/fontawesome "${FONTS_FONTAWESOME_DIR}"
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-29 03:33:32 -05:00
<Directory "${FONTS_DIR}">
Use only system fonts This commit changes how fonts are used. - remove usage of bundled fonts and only system fonts are used instead - by using alias in httpd conf - by using local("Font Name") directive in font-face - removed usage of overpass font - redefined Open Sans font-face declarations. Note: upstream is doing the same change so we will be fine on upgrade. - introduce variable.less for variable definitions and overrides. This file will be very useful when we upgrade to newer RCUE so we will be able to redefine their and bootstrap's variables. Fixes: https://fedorahosted.org/freeipa/ticket/2861
2013-12-04 09:15:20 -06:00
SetHandler None
AllowOverride None
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Use only system fonts This commit changes how fonts are used. - remove usage of bundled fonts and only system fonts are used instead - by using alias in httpd conf - by using local("Font Name") directive in font-face - removed usage of overpass font - redefined Open Sans font-face declarations. Note: upstream is doing the same change so we will be fine on upgrade. - introduce variable.less for variable definitions and overrides. This file will be very useful when we upgrade to newer RCUE so we will be able to redefine their and bootstrap's variables. Fixes: https://fedorahosted.org/freeipa/ticket/2861
2013-12-04 09:15:20 -06:00
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Directory>
IPA HTTPD config uses /usr/share/static as target for /ipa/ui
2010-08-06 14:43:27 -05:00
# webUI is now completely static, and served out of that directory
rename static to ui Directory rename
2011-01-19 11:26:14 -06:00
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
SetHandler None
AllowOverride None
Ticket Expiration THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app Conflicts: install/static/ipa.js
2010-11-05 18:48:42 -05:00
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Load updated Web UI files after server upgrade Issue: * There was no caching policy specified. * -> Browsers use their own default policy. * -> After upgrade, some Web UI files might have been actualized some not. * -> With schema change may result into weird bugs in Web UI Solution considerations: 1. Detect server version change and hard-reload at runtime Detection is easy. Problem is the reload. Obvious candidate 'window.location.reload(true)' works in Firefox but not in Chrome because expected behavior when parameter is used is not in standard and therefore Chromium/WebKit authors did not implement it. 2. Application Cache HTML 5 technology which lets web apps to run offline. Besides weird issues with event handlers which I encountered, this would be an ideal candidate. Simple change of manifest file would lead to reload of all files (requires reload of page to used the new files). Showstopper was usage with untrusted certificate. If user did not add exception for the cert or its CA and would visit the page for a second time, all AJAX calls would fail. 3. Set Expires to now() for everything Web UI rarely changes so this is an overkill. Setting it to different value is not a solution either. We can't predict when the upgrade will happen and when new Web UI will be needed. Solution: * Implemented a mini loader which loads basic resources. Dojo loader takes action after Dojo is loaded. * The loader adds a version parameter (?v=__NUM_VERSION__) to all requests. * Version is defined in the loader. It's set to current in `make version-update`. * All static pages use this loader to fetch their resources. * Version is also passed to dojo loader as cache-bust for the same effect. * Expire header was set to 'access time plus 1 year' for /ui folder. Exceptions are HTML files and loader (set to immediate expiration). Possible issues: * Images are cached but not requested with version param. * Images with version and without are considered different * -> We would have to attach version to all URIs - in CSS and in JS. But we should avoid changing jQuery UI CSS. * Proposed solution is to change image name when changing image. Image change is done rarely. * Version is set by build and therefore updated just on server update. It might cause trouble with different update schedule of plugins. * No action taken to address this issue yet. * We might leave it on plugin devs (own .conf in /etc/httpd/conf.d/) * or set expires to now for all plugins * running `make version-update` is required in order to use static version of UI for testing https://fedorahosted.org/freeipa/ticket/3798
2013-08-29 08:19:02 -05:00
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
</Directory>
Generate plugin index dynamically https://fedorahosted.org/freeipa/ticket/3235
2013-04-23 12:54:21 -05:00
# Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
AllowOverride None
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Generate plugin index dynamically https://fedorahosted.org/freeipa/ticket/3235
2013-04-23 12:54:21 -05:00
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
Add DS migration plugin and password migration page.
2010-01-12 09:40:09 -06:00
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Use httpd 2.4 syntax for access control The httpd options Allow, Deny, Order, and Satisfy are deprecated in Apache httpd 2.4. These options are provided by the mod_access_compat module and should no longer be used. Replace "Allow from all" with "Require all granted". Removal of "Satisfy Any" needs more investigation. See: httpd.apache.org/docs/2.4/upgrading.html See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html Fixes: pagure.io/freeipa/issue/8305 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-06 02:11:17 -05:00
Require all granted
Rewrite the migration page using WSGI
2010-10-29 08:38:17 -05:00
Options ExecCGI
AddHandler wsgi-script .py
Add DS migration plugin and password migration page.
2010-01-12 09:40:09 -06:00
</Directory>
Reference in New Issue Copy Permalink